Allow requests from local IPv6 addresses
If administrator selects EXTERNAL for Require SSL setting, allow clear-text HTTP requests when client is coming from IPv6 link-local or unique local address (ULA). Previously only private IPv4 addresses were allowed and private IPv6 addresses were rejected. Closes #30678 Signed-off-by: Tero Saarni <tero.saarni@est.tech>
This commit is contained in:
parent
7b316afc74
commit
62fd969fe1
2 changed files with 15 additions and 2 deletions
|
@ -51,10 +51,23 @@ public enum SslRequired {
|
||||||
private boolean isLocal(String remoteAddress) {
|
private boolean isLocal(String remoteAddress) {
|
||||||
try {
|
try {
|
||||||
InetAddress inetAddress = InetAddress.getByName(remoteAddress);
|
InetAddress inetAddress = InetAddress.getByName(remoteAddress);
|
||||||
return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isSiteLocalAddress();
|
return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isSiteLocalAddress() || inetAddress.isLinkLocalAddress() || isUniqueLocal(inetAddress);
|
||||||
} catch (UnknownHostException e) {
|
} catch (UnknownHostException e) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the address is within IPv6 unique local address (ULA) range RFC4193.
|
||||||
|
*/
|
||||||
|
private boolean isUniqueLocal(InetAddress address) {
|
||||||
|
if (address instanceof java.net.Inet6Address) {
|
||||||
|
byte[] addr = address.getAddress();
|
||||||
|
// Check if address is in unique local range fc00::/7
|
||||||
|
return ((byte) (addr[0] & 0b11111110)) == (byte) 0xFC;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,7 +17,7 @@ image:images/general-tab.png[General Tab]
|
||||||
. Set *Require SSL* to one of the following SSL modes:
|
. Set *Require SSL* to one of the following SSL modes:
|
||||||
|
|
||||||
* *External requests*
|
* *External requests*
|
||||||
Users can interact with {project_name} without SSL so long as they stick to private IP addresses such as `localhost`, `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, and `172.16.x.x`.
|
Users can interact with {project_name} without SSL so long as they stick to private IPv4 addresses such as `localhost`, `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, `172.16.x.x` or IPv6 link-local and unique-local addresses.
|
||||||
If you try to access {project_name} without SSL from a non-private IP address, you will get an error.
|
If you try to access {project_name} without SSL from a non-private IP address, you will get an error.
|
||||||
|
|
||||||
* *None*
|
* *None*
|
||||||
|
|
Loading…
Reference in a new issue